Time to Retire SSL 3.0

As a general security precaution, Mendix will be shutting down the legacy SSL 3.0 protocol on our platform and for all Mendix-hosted environments. This will happen on Thursday, December 18th, 2014. We see that less than 0.1% of all requests through our HTTP routing layer still use SSL 3.0; the others use the more secure successor TLS 1.x. Because the usage is so low and TLS support has been generally available for all platforms for a long time, now is the right time to turn off SSL 3.0.

Please note that this does not mean your application traffic is vulnerable to the POODLE exploit released a few weeks ago, as we don’t use any of the vulnerable cipher suites in SSL 3.0.

We have notified Technical Contacts of apps where SSL 3.0 is still used via e-mail. In case you missed that communication, you are advised to turn on TLS and disable SSL in your browsers. To do so, please follow this guide.